多数CC攻击在web服务器日志中都有相同攻击的特征,我们可以根据这些特征过滤出攻击的ip,利用iptables来阻止
#!/bin/bash
#by yeho
#BLOG: https://linuxeye.com
OLD_IFS=$IFS
IFS=$'n'
for status in `grep '特征字符串' /data/wwwlogs/linuxeye.com_nginx.log | awk '{print $1}'
| sort -n | uniq -c`
do
IFS=$OLD_IFS
NUM=`echo $status | awk '{print $1}'`
IP=`echo $status | awk '{print $2}'`
#echo $status
if [ -z "`iptables -nvL | grep "dpt:80" | awk '{print $8}' | grep "$IP"`" ];then
if [ $NUM -gt 250 ];then
#echo IP:$IP is over $NUM, BAN IT!
/sbin/iptables -I INPUT -p tcp -s $IP --dport 80 -j DROP
fi
fi
done
